Privacy Notice

Effective: 17 April 2026

1. Controller within the meaning of the GDPR

The controller for data processing on this website and within the SaaS applications distributed by Consiliari Software GmbH (in particular "Temporalis EMS", "Kontrakte.AI" and "DOT") is:

Represented by the managing director: Raphael J. N. Hettich, M. Sc.

Phone: +49 721 61932916
Email: software@consiliari.de
Commercial register: Local Court Mannheim, HRB 753583

The applications are developed by the affiliated Consiliari GmbH (Local Court Mannheim, HRB 727046, same address). Consiliari Software GmbH acts as the contracting party for customers and is the controller within the meaning of the GDPR for all processing described here.

2. Data Protection Officer

Our Data Protection Officer is:

Within the Consiliari group (Consiliari Software GmbH and Consiliari GmbH), Mr Berger acts exclusively as Data Protection Officer. He is not involved in management, development, sales, IT administration or any other operational management functions. This ensures the independence and freedom from conflicts of interest required by Art. 38 (6) GDPR and the EDPB guidelines WP 243 rev.01.

3. General principles

We process personal data only within the framework of statutory provisions, in particular the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the Telecommunications Digital Services Data Protection Act (TDDDG). This notice informs you about the type, scope and purpose of the processing of personal data when visiting our website (consiliari-software.de) and when using our SaaS applications.

Our offering is directed at entrepreneurs (§ 14 BGB) and their employees aged 16 and over. We do not knowingly process data of minors under 16 (Art. 8 GDPR); such data is — as soon as we become aware of it — deleted without undue delay.

4. Data-subject rights

Under the GDPR you have the following rights vis-à-vis us:

• Right to access (Art. 15 GDPR) regarding the data stored about you
• Right to rectification (Art. 16 GDPR) of incorrect data
• Right to erasure (Art. 17 GDPR) ("right to be forgotten")
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR) in a structured, common format
• Right to withdraw consent (Art. 7 (3) GDPR) with effect for the future
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Right to object (Art. 21 GDPR): You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you that is based on Art. 6 (1)(f) GDPR (legitimate interests). Where we process your data for direct marketing, you have the right to object to such processing at any time. After your objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims.

Responsibility and response deadline: We respond to requests within one month of receipt (Art. 12 (3) GDPR). Where your request concerns data that you have processed in your capacity as a user of a customer tenant (i.e. as an employee of a customer of Consiliari Software GmbH), we forward the request to the relevant customer (controller) within 5 business days and inform you accordingly.

The supervisory authority responsible for us is:

To exercise your rights, an informal message to dsb@consiliari-software.de is sufficient

5. Processing when visiting our website (consiliari-software.de)

5.1 Server log files

When you access our website, our hosting provider automatically collects information transmitted by your browser:

• IP address (stored in shortened/anonymised form, unless required to defend against attacks)
• Date and time of access
• Volume of data transferred
• Referrer URL
• Browser and operating system used

Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in stability and security of the web offering).
Storage period: A maximum of 14 days, then deletion or anonymisation.

5.2 Website hosting (Hetzner Online GmbH)

Our website is hosted by:

The servers are located exclusively in Germany (data centres in Nuremberg/Falkenstein). A data processing agreement under Art. 28 GDPR is in place with Hetzner. Hetzner is certified to ISO/IEC 27001.

Legal basis: Art. 6 (1)(f) GDPR.

5.3 SSL encryption

For security reasons and to protect the transmission of confidential content, we use TLS/SSL encryption (recognisable by "https://" in the address bar and the lock symbol).

5.4 Web analytics with Plausible Analytics

We use Plausible Analytics on our website, an analytics service provided by Plausible Insights OÜ, Västriku tn 2, 50403 Tartu, Estonia.

Plausible is a cookie-free, privacy-friendly analytics service. No cookies are set, no IP addresses are persistently stored, and no personal data is shared with third parties. The data is evaluated exclusively in aggregate, anonymised form (page views, referrers, coarse geographic region at country level, device type). Individual visitors are not re-identified.

The analytics is hosted on servers within the EU (Germany/Finland).

Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in statistical evaluation to improve the offering); in our legal assessment, consent under § 25 TDDDG is not required because Plausible does not store or read any information on the end-user device: no cookies are set, no persistent device identifier is generated, and no recognition of individual visitors between sessions takes place. Any daily-rotating salt-hash for aggregated daily counting does not constitute a stable means of recognition and serves exclusively for statistical evaluation. The processing is therefore strictly necessary for providing the "website" service expressly requested by the user, within the meaning of § 25 (2) no. 2 TDDDG. We follow the prevailing view of the German supervisory authorities; the legal situation is monitored on an ongoing basis.

Further information: https://plausible.io/data-policy

5.5 Contact

When you contact us by email, contact form or via Microsoft Bookings (see 5.7), we process your details (name, email address, request, optionally company name and phone number) to handle your enquiry.

Legal basis: Art. 6 (1)(b) GDPR (initiation or performance of a contract) or Art. 6 (1)(f) GDPR (legitimate interest in efficient communication).
Storage period: Until the request is fully completed, plus statutory retention periods (in particular § 257 HGB, § 147 AO: max. 10 years for business-related correspondence).

5.6 Transactional emails / email dispatch

For sending transactional emails (trial confirmation, invoices, password reset, system notifications) we use the service of a specialised email provider:

Legal basis: Art. 6 (1)(b) GDPR.
A data processing agreement under Art. 28 GDPR is in place.

5.7 Appointment booking via Microsoft Bookings

For scheduling demo appointments and consultations we use Microsoft Bookings, which is part of our Microsoft 365 tenant.

Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland.

Booking data is stored in our Microsoft 365 environment (Exchange Online) within the EU Data Boundary. Microsoft fully implemented the EU Data Boundary for its cloud services in February 2025; customer data is therefore processed exclusively on servers within the European Union.

When booking an appointment, the following data is collected: name, email address, chosen time, and optional additional details (e.g. company name, request, number of employees). Before completing the booking, you must actively consent to data processing via a corresponding checkbox.

On our booking pages, the booking page is embedded as an iframe. Microsoft's content and cookies are loaded only when you actively click "Load Bookings calendar" (click-to-load procedure). No data is transmitted to Microsoft before this click. After loading, Microsoft sets technically necessary cookies (e.g. for session and load balancing); these cookies are used exclusively by Microsoft for operating the booking service.

Legal basis: Art. 6 (1)(b) GDPR (pre-contractual measures / contract initiation).
A data processing agreement under Art. 28 GDPR exists in the form of the Microsoft Online Services Data Protection Addendum.

Microsoft privacy notice: https://privacy.microsoft.com/de-de/privacystatement

6. Processing when using the SaaS applications

6.1 Registration and 14-day trial

To use our SaaS applications, an account must be created. We collect the following data:

• Name, business email address
• Company name
• Chosen password (stored as a hash, not in plain text)
• Optional: phone number, number of employees, industry

The 14-day trial is activated without a credit card and ends automatically upon expiry unless a paid subscription is concluded.

Legal basis: Art. 6 (1)(b) GDPR (performance of a usage contract).

6.2 Ongoing use (tenant data)

During use, you and, where applicable, your employees enter data into the system (e.g. projects, time records, contacts, HR data, receipts). This data is processed on your behalf as a processor (Art. 28 GDPR); the customer remains the controller. The basis is the Data Processing Agreement (DPA) concluded between you and us, which we conclude as standard as part of the main contract.

We provide a sample agreement and the associated technical and organisational measures (TOM) at https://www.consiliari-software.de/trust.

6.3 Hosting of the SaaS applications

The SaaS applications are hosted exclusively on servers of Hetzner Online GmbH in Germany (data centres in Nuremberg and/or Falkenstein). Customer data does not leave the EEA. Backups are also stored encrypted within Germany.

6.4 Payment processing with Stripe

For processing paid subscriptions we use the payment service provider:

When concluding a paid subscription, payment data (credit-card number, SEPA data, billing address, amount) is transmitted directly to Stripe. We do not store full credit-card data ourselves. Stripe processes the data on its own responsibility and in compliance with the PCI-DSS standard.

Stripe Payments Europe Ltd. is a company based in Ireland; transfers to Stripe Inc. (USA) take place only to the extent strictly necessary to perform payment processing and on the following legal basis:

• EU-US Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023); Stripe Inc. is listed in the Data Privacy Framework List;
• additionally EU Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021;
• in line with EDPB Recommendations 01/2020 (version of 18 June 2021), we have carried out a Transfer Impact Assessment (TIA) and supplemented it with additional technical and organisational measures (no transfer of special data categories to Stripe, purpose limitation to payment processing, encryption in transit TLS 1.2+). The TIA is available in our Trust Center.

Legal basis: Art. 6 (1)(b) GDPR (contract performance); Art. 45 GDPR (DPF) and Art. 46 (2)(c) GDPR (SCC) for third-country transfers.
Further information:https://stripe.com/de/privacy

6.5 Support communication

Support requests are submitted by email to support@consiliari-software.de or from within the application. We do not use an external helpdesk/ticketing tool; processing takes place exclusively on our servers at Hetzner Online GmbH in Germany and in our internally operated email system.

6.6 Data sharing with affiliated companies

Consiliari GmbH (Local Court Mannheim, HRB 727046, Brauerstraße 12, 76135 Karlsruhe) develops the SaaS applications and provides development and maintenance services to Consiliari Software GmbH. In this context, Consiliari GmbH may access technical layers of the system, e.g. for bug-fixing and further development.

Where this affects personal Customer Data, it takes place exclusively under an intra-group data processing agreement (Art. 28 GDPR); Consiliari GmbH is in this context a sub-processor of Consiliari Software GmbH and is subject to the same security requirements as set out in Annex 1 to the DPA. Access to production data is additionally protected by Privileged Access Management with just-in-time approval, time limitation and session recording (further details in Annex 1 to the DPA). Consiliari GmbH is listed as a sub-processor in Annex 2 to the DPA (see § 7 of this notice).

6.7 AI-assisted assistant features

The Services contain AI-assisted assistant features (e.g. for automated form filling, filter suggestions, full-text search, language translation). These features do not make decisions with legal effect within the meaning of Art. 22 GDPR and do not replace human assessment; they merely prepare inputs that the user reviews and approves before adoption. No fully automated individual decision-making takes place.

The LLM providers used are listed in full in Annex 2 to the DPA (registered office, data location, transfer mechanism). No personal Customer Data is used to train AI models of the providers (opt-out contractually secured in the providers' Enterprise tier). The Customer can deactivate the AI features tenant-wide.

Insofar as the AI features fall within the scope of the AI Act (Regulation (EU) 2024/1689), we comply with the applicable transparency and documentation obligations; based on current assessment, the features are predominantly classified as systems with low risk.

7. List of sub-processors

The following service providers process data on our behalf or as independent third parties (for payment processing):

A current, complete list is available in our Trust Center at https://www.consiliari-software.de/trust. We notify existing customers of changes 30 days in advance; customers have a right to object with extraordinary right of termination.

8. Storage period and deletion

We store personal data only for as long as necessary for the relevant purposes or as required by statutory retention obligations:

• Server logs: 14 days
• Plausible statistics: aggregated, no person-level attribution
• Trial accounts without conversion: automatic deletion 30 days after the trial expires
• Customer data after contract end: export within 30 days, then permanent deletion within a further 60 days
• Invoice-relevant data: 10 years (§ 147 AO, § 257 HGB)
• Contract-relevant correspondence: 6 years (§ 257 HGB)
• Application documents: 4 months after rejection (AGG limitation period plus buffer); longer retention only with express consent for inclusion in the talent pool or in the event of pending legal proceedings

9. No automated individual decision-making / profiling

There is no automated decision-making with legal effect or similarly significantly affecting decisions within the meaning of Art. 22 GDPR. Where we use AI-assisted assistant features (cf. § 6.7), these do not make such decisions but merely prepare content or suggestions that the user evaluates and approves.

9a. Employee data protection in the HR module

If a customer uses the HR module of the "Temporalis EMS" service, in its role as controller it processes its employees' data within the meaning of § 26 BDSG or based on a collective-bargaining agreement (§ 26 (4) BDSG). The customer is obliged to

• inform employees pursuant to Art. 13 GDPR,
• obtain works-council co-determination (§ 87 (1) no. 6 BetrVG for behaviour/performance monitoring via time tracking) where a works council exists,
• enter sensitive data (Art. 9 GDPR, e.g. health data) into the Service only on a sound legal basis.

Consiliari Software GmbH supports the customer in fulfilling these obligations on request, within the framework of the DPA (Art. 28 (3)(e) and (f) GDPR).

9b. Data origin for third-party imports (Art. 14 GDPR)

If a customer imports third-party contact data (e.g. customer, supplier or prospect data) from external sources (CRM import, LinkedIn exports, business-card scans) into the Service, it is the controller for this data within the meaning of the GDPR and itself fulfils the information obligations to data subjects under Art. 14 GDPR. Consiliari Software GmbH acts solely as a processor in this respect.

10. Security

We take appropriate technical and organisational measures to protect your data (including TLS encryption in transit, encrypted backups, need-to-know access controls, role-based permissions, regular updates, 2-factor authentication for administrators, annual external penetration testing). Details are set out in our Technical and Organisational Measures (TOM) as an annex to the DPA.

11. Changes to this privacy notice

We adapt this privacy notice when the legal situation or our services change. The current version is available at this URL. We additionally inform active customers of material changes by email.

Contact for data-protection enquiries:dsb@consiliari-software.de